Xoxoday Loyalife is certified under SOC 2 Type II and ISO/IEC 27001:2022, complies with GDPR, CCPA, India’s DPDP Act, UAE PDPL, and Singapore PDPA, and protects all customer data using AES-256 encryption at rest and TLS 1.2 encryption in transit.
Security Certifications
Xoxoday Loyalife complies with globally recognised information security and data privacy standards. Xoxoday Loyalife holds SOC 2 Type II and ISO/IEC 27001:2022 certifications, each independently audited by third-party assessors on a regular basis. This gives enterprise procurement teams, IT security reviewers, and data protection officers documented evidence of operational security controls at the time of vendor onboarding. Beyond these core certifications, Xoxoday Loyalife adheres to GDPR, CCPA (California Consumer Privacy Act), India’s Digital Personal Data Protection Act (DPDP Act), the UAE Personal Data Protection Law (PDPL), and Singapore’s Personal Data Protection Act (PDPA). Organisations operating across multiple geographies can deploy Xoxoday Loyalife without maintaining separate compliance stacks for each region. Compliance reviews and third-party penetration tests are conducted at minimum annually and following any significant architectural change.Encryption at Rest and in Transit
Xoxoday Loyalife protects all sensitive data—including customer PII, credentials, and transactional records—using AES-256 encryption at rest. All data moving between systems is secured with TLS 1.2. Passwords are never stored in plain text; Xoxoday Loyalife hashes them using bcrypt, an adaptive algorithm designed to remain resistant to brute-force attacks as hardware capabilities increase. For organisations integrating Xoxoday Loyalife with HRMS platforms such as Workday, SAP SuccessFactors, or Darwinbox, all data exchange interfaces authenticate via OAuth 2.0 or HMAC-based signatures. This ensures tokens and payloads cannot be tampered with in transit and that only verified systems can initiate data flows.Access Controls and Sensitive Field Handling
Xoxoday Loyalife enforces Role-Based Access Control (RBAC) across its administrative interface, so programme managers, analysts, and integration engineers access only the data and functions relevant to their role. Sensitive fields are protected through data masking and tokenisation, meaning raw values such as payment identifiers are never exposed in logs, API responses, or reporting outputs. Organisations connecting Xoxoday Loyalife to collaboration tools such as Slack or Microsoft Teams for rewards delivery notifications do so through secured OAuth and webhook flows, keeping notification payloads free of raw PII at every step. These controls collectively satisfy the security requirements that enterprise IT and legal teams apply during vendor due diligence and throughout ongoing compliance assessments. Learn more: [Xoxoday Loyalife Help Centre — General](Data Privacy Compliance Frameworks
How Xoxoday Loyalife meets GDPR, CCPA, DPDP Act, and other regional data protection laws across deployment geographies.
API Security and Authentication
How Xoxoday Loyalife uses OAuth 2.0 and HMAC-based authentication to secure all integration and data exchange interfaces.